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A model-theoretic approach can establish security theorems, which are formulas expressing authen- 
tication and non-disclosure properties of protocols. Security theorems have a special form, namely 
quantified implications W. (<p D 3y . yr). 

Models (interpretations) for these formulas are skeletons, partially ordered structures consisting 
of a number of local protocol behaviors. Realized skeletons contain enough local sessions to explain 
all the behavior, when combined with some possible adversary behaviors. 

We show two results. (1) If <p is the antecedent of a security goal, then there is a skeleton A^ 
such that, for every skeleton B, is satisfied in B iff there is a homomorphism from A^ to B. (2) A 
protocol enforces Vx . (0 D By. y/) iff every realized homomorphic image of A^ satisfies \jf. 

Since the program CPSA finds the minimal realized skeletons, or "shapes," that are homomorphic 
images of A^,, if y/ holds in each of these shapes, then the goal holds. 

1 Introduction 

Much work has been done in recent years on cryptographic protocol analysis. A central problem is, given 
a protocol, to determine whether a formula, expressing a security goal about its behaviors in the presence 
of an adversary, is true. If the protocol achieves the goal, one would like some explanation why. If it 
does not achieve the goal, one would like a counterexample. A security goal is a quantified implication: 

Vx.(0dd3)?.v)- (1) 

The hypothesis O is a conjunction of atomic formulas describing regular behavior. The conclusion y 
is a disjunction of zero or more such conjunctions, i.e. y is Vi<i</t0(- When the 0,- describe desired 
behaviors of other regular participants, who are intended to be peers in protocol runs, then this goal is an 
authentication goal. It says that each protocol run contains at least one peer execution from k different 
possibilities among which the protocol may allow the participants to choose. 

When k = 0, y is the empty disjunction false. If <po mentions an unwanted disclosure, (1) says the 
disclosure cannot occur. Hence, security goals with k = express secrecy goals. 1 

Our models are skeletons, partially ordered sets of regular strands, i.e. local behaviors of regular 
participants. A skeleton A defines a set of executions, namely executions in which images of these 
strands can be found. We use A, a \= <J> in the classical sense, to mean that the formula <J> is satisfied in 
the skeleton A, when the variable assignment a determines how variables free in <I> are interpreted. 

A skeleton A is an execution if it is realized. This means that the message transmissions in A — 
when combined with possible adversary behavior — suffice to explain every message received in A. A 
counterexample to a goal G is a realized skeleton C such that, for some variable assignment a, C, a |= 0, 
and for every extension a' of a, C,a' (= ->y. C is a counterexample to G only if C is realized, even 
though |= is also well-defined for non-realized skeletons. 

*Supported by the MITRE-Sponsored Research program. Author's address: guttman@{mitre.org,wpi.edu}. 

1 We will use (f>,tpj, etc., for conjunctions of or more atomic formulas, and \j/ for disjunctions Vl<;<* 0i where < k. 
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We focus on the homomorphisms among models. A homomorphism is a structure-preserving map, 
which may embed one skeleton into a larger one; may identify one strand with another strand that sends 
and receives similar messages; and may fill in more information about the parameters to the strands. 
As usual, homomorphisms preserve satisfaction for atomic formulas. Suppose H is a homomorphism 
H : A I— > B. And suppose A, <T |= (j>, i.e. the skeleton A satisfies the atomic formula under an assign- 
ment a, which maps variables occurring in to values that may appear in A. Then B, H o <j \= (j). 

This holds for conjunctions of atomic formulas also. Thus, a security goal Vx. (0o D 3y . y), concerns 
the homomorphic images of skeletons satisfying 0o- If any homomorphic image C is realized, then C 
should satisfy the disjunction y, i.e. C should satisfy at least one of the disjuncts 0, for 1 < i < k. 

We already have a method for constructing homomorphisms from a skeleton A to realized skele- 
tons [ ]. The Cryptographic Protocol Shapes Analyzer CPS A is a program that — given a protocol n and 
a skeleton of interest A — generates all of the minimal, essentially different realized skeletons that are 
homomorphic images of A. We call these minimal, essentially different skeletons shapes, and there are 
frequently very few of them. 

Main Results. We show how a single run of the search for shapes checks the truth of a security goal. 
To determine whether IT achieves a goal G = Vx . (0o 3 3y. y), we find the shapes for the single skeleton 
A^,. Two technical results are needed to justified this. 

• For any security hypothesis 0o, a single skeleton A0 O characterizes 0o- I- e -> for an 1B> : 

3o. B, o |=0o iff 3H . H: A^^M. 

• There exists a realized C that is a counterexample to G iff there exists some shape H : Aa \— > B 
where B provides a counterexample. 

Our main results suggest a recipe for evaluating a goal G = Vx. (0 D 3y. y) for a protocol n. 

1. Construct the skeleton A^ . 

2. Ask CPS A what shapes are accessible in IT, starting from A^. 

3. As CPSA delivers shapes, check that each satisfies some disjunct 0,-. 

4. If the answer is no, this shape is a counterexample to G. 

5. If CPSA terminates with no counterexample, then G is achieved. 

Since the problem is undecidable [9], it is also possible that CPSA will not terminate. Step 3 is easy, since 
each <pj is a conjunction of atomic formulas, and each shape is a finite (typically small) structure. 

The Language of Goals. For each protocol, we define a first order language JZ'ijY), in which for- 
mulas (1) are security goals. J?? (IT) expresses authentication and secrecy goals [17] for n, including 
"injective agreement", as adapted to strand spaces [13]. 2 It talks only about the roles. One can say which 
roles executed, and how far they executed in partial executions, and with what parameters. Saying that 
different roles executed with the same values for certain parameters is important. 

However, J2?(n) is carefully designed to limit expressiveness. Jzf (IT) says nothing about the forms 
of messages, and there are no function symbols for encryption or pairing. The protocol IT determines the 
forms of messages, so to speak behind Jz? (TT)'s back in the semantics. Thus, -^(TT) need only stipulate 
the underlying parameters, when describing what has happened. 



2 J2?(n) does not express observational indistinguishability properties, or "strong secrecy" [1]. 
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A benefit of this approach is that related protocols IT, IT' may have similar languages, or indeed 
identical languages, when corresponding roles use the same parameters to compose messages of different 
concrete forms. This makes the languages Jz?(n) suited to analyze protocol transformations (as in [15]) 
to determine when security goals are preserved. We used them (with inessential differences) in [14], 
where we gave a syntactic criterion that ensures the safety of combining pairs of protocols. When rii,n2 
meet the criterion, then any goal (1) in ^(rii) that IT! meets is still achieved by Hi UH 2 . Combining 
111 with H2 to form II 1 U H2 is a simple sort of transformation of IIi . 

Some Related Work. To document a protocol meeting a security goal, one might like to provide a 
proof, e.g. in Paulson's style [19], or in the Protocol Composition Logic [6]. One might also view a 
counterexample as a syntactic object much like a proof. Symbolic constraint solving techniques (start- 
ing with [11, 18, 20]) treat them in this way, using rules, including unification, to construct them. The 
"adversary-centered" approach of Selinger [21] also leads to a proof-like treatment of protocol coun- 
terexamples, and to a model-theoretic view of achieving goals. To show that a goal is met, one exhibits 
a model in which axioms are satisfied, but the adversary's knowledge does not include any intended se- 
crets. These axioms describe the behavior of the regular (non-compromised) participants. The model is 
a set that is invariant under disclosures effected by the protocol, but in which the secrets do not appear. 

We give another model-theoretic approach to achieving goals, but from a "protocol-centered" point 
of view rather than an "adversary-centered" one. In contrast to Selinger, who expresses authentication 
properties of a protocol n by means of secrecy properties of an expanded protocol IT', we represent 
secrecy properties as the special case of authentication properties where k = 0, as indicated above. 

Chein and Mugnier also use homomorphisms to evaluate the truth of implications, e.g. [4, 5], in the 
context of conceptual graphs. However, that context is quite different, since their formulas are graph-like 
objects, whereas our interpretations are graph-like structures. Our framework is tuned to the specific 
case of cryptographic protocols; for instance, there is no analog of "realized" in their framework. 

Structure of this Paper. We start with some examples of protocol goals in a simple protocol that does 
not achieve all of them, and a corrected protocol that does (Section 2). In Section 3, we define the 
first order classical languages J2?(n) that express security goals for each protocol IT. Section 4 defines 
skeletons and homomorphisms between them, and gives a semantics for Jt?(H) using skeletons. We show 
next in Section 5 that each conjunction of atomic formulas has a characteristic skeleton. In Section 6, 
we show how to use the characteristic skeletons to check security goals. 

Strand Spaces. A strand is a (linearly ordered) sequence of nodes n\ =4> ... => nj, each of which 
transmits or receives some message msg(n ! ). A strand may represent the behavior of a principal in 
a single local session of a protocol, in which case it is a regular strand of that protocol, or it may 
represent a basic adversary activity. Basic adversary activities include receiving a plaintext and a key and 
transmitting the result of the encryption, and receiving a ciphertext and its matching decryption key, and 
transmitting the resulting plaintext. 

A protocol n is a finite set of strands, which are the roles of the protocol. A strand s is an instance 
of a role p G II, if s = cc(p), i.e. if s results from p by applying a substitution a to parameters in p. 

Message ?i is an ingredient of t 2 , written t\ C t 2 , if ?i is used to construct t 2 other than as an encryption 
key; i.e. C is the smallest reflexive, transitive relation such that t\ C t\ "t 2 , and t 2 C t\ "t 2 , and t\ C \} t2 . 

A message t originates on a strand node n if (1) t C msg(rc); (2) n is a transmission node; and (3) 
m =4> + n implies t [2 msg(m). A value that originates only once in an execution is uniquely originating, 
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{|{l^l}sk(A)l}pk(B) 



{|{W}sk(A)|}pk(fl) 
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Figure 1: Blanchet's "Simple Example Protocol" 

i.e. a freshly chosen value. A value that originates nowhere in an execution may nevertheless be used 
within regular strands to encrypt or decrypt. However, if the adversary uses a value to encrypt or decrypt, 
then the key must have been received, and must therefore have originated somewhere. Hence non- 
originating values represent uncompromised long term keys. For more detail, see the Appendix. 

2 Examples 

Blanchet's Example. We start from an example suggested by Blanchet [2], as shown in Fig. 1. A 
principal A wishes to have B transmit a secret to A alone. A has a private signature key sk(A), with a 
public verification key known to B. B has a private decryption key with a public encryption key pk(fi) 
known to A. A transmits a freshly chosen symmetric key k to B, signed by A and encrypted for B. B then 
uses k to encipher the secret s. 

Authentication Goals of A. A wants the protocol to ensure that s came from B. 

To establish this, we attribute some assumptions to A, from which it may follow that B has transmit- 
ted s. A has had a run of her side of the protocol, so the execution will contain the two nodes of the strand 
shown on the left of the figure. We must assume that fi's private decryption key pk(fi) -1 is uncompro- 
mised, in the sense that this private key never originates. It is thus used only by regular participants in 
accordance with the protocol, and never by an adversary. Moreover, we assume that the symmetric key 
k originates only once, namely, on A's first node. In particular, the adversary can not send it until after 
receiving k. In a word, the adversary will not guess k. 

Aq summarizes these assumptions, as shown on the left in Fig. 2. Here noriA is the set of long 
term keys assumed uncompromised for the sake of this analysis, and unique Af) is the set of fresh values 
assumed uniquely originating. We call a diagram of this kind a skeleton. 

We want now to "analyze" this assumption, by which we mean, to find all shapes accessible from 
Ao. The shapes give all the minimal, essentially different executions (realized skeletons) accessible from 
Ao. CPS A reports a single shape, shown on the right of Fig. 2 as Ai. This is what A desired, as B sent s 
on its transmission node at lower right. 

The antecedent of the implication expressing this goal concerns the starting point; is it ty A = 

Init2(n 2 ,a,b,k, s) AUnq(k) ANon(sk(a)) A Non(inv(pk(a))). 

The predicate Init2(n 2 , a,b,k, s) says that n 2 is the second node of an initiator strand with the given 
parameters. The remaining conjuncts express the supplementary assumptions about non-compromised 
long term keys and a fresh session key. The fact that the only shape we obtain is Ai, which has a 
responder's second node with the desired parameters, validates: 



(j) A D 3m . Resp2(m, a,b,k, s). 
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{pk(fi) l } = non Ao = non Al , {k} = unique Ao = unique Al 



Figure 2: Skeletons Aq, Ai, input and output for CPSA, with to = {|{|^|} s i<(a)|} 



(A)l/pk(B) 



The conclusion of this implication describes some of the additional structure contained in Ai. 

Confidentiality of s. The analysis for A's confidentiality goal is similar. We again use the same as- 
sumptions, augmented by the pessimistic assumption that s is compromised. We represent this using a 
trick: We use a listener node • A that "hears" the value s shorn of any cryptographic protection. Here 
we must also assume that s G unique A ,, since otherwise possibly the adversary will simply guess (re- 
originate) s. Thus, we start the analysis with the form shown in Fig. 3. We now reach an impasse: CPSA 
reports that no shape exists, starting from A2. Thus, A2 is dead: No realized skeleton can result from it. 
We express this confidentiality goal in the form: 

§ A AUnq(s) ALsn(m, s) D false. 

The conjunct Lsn(m, s) describes the listener node m that "hears" the value s. This listener node is 
incompatible with the other assumptions ty A . Thus, A achieves her goals using this protocol. 



Authentication Goal for B. Unfortunately, the situation is less favorable for B. We start the analysis 
with the skeleton A3, shown on the left in Fig. 4. It represents the hypothesis <p B : 

Resp2(m,a,b,k, s) AUnq(k) A Non(sk(a)) ANon(inv(pk(a))) 

We obtain the form A4 shown on the right in Fig. 4. Unfortunately, we have learnt nothing about the 
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{pk(fi) 1 } = non Ao {k,s} = unique Ao 
Figure 3: A2, for A's confidentiality analysis, with no shapes 
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{sk(A),pk(B) } = noriA 3 = nonA 4 {k} = unique Aj = unique^ 



Figure 4: A3, A4, for B's authentication goal 



recipient C for whom A intended this key. Possibly pk(C) -1 is compromised. Thus, the adversary can 
decrypt {|{|£|} s k(A) |}pk(c) an d use B's public key to construct {|{|&|} s k(A) |}pk(B)- Thus, skeleton A4 is 
realized, but validates only: 

ty B D 3n, c . Initl(n,a, c,k). 

The expected initiator has got to step 1 of a run with some c, who — the protocol ensures — has originated 
the key k. However, since possibly C ^ B, confidentiality for k and s may fail. 

The details of the CPSA run make clear how to fix the protocol. This requires us to replace to with 
{|{|&~B|} s k(A) |} p k(s)> which includes B's identity under A's signature. In fact, Blanchet [2] makes a more 
complicated suggestion, using the component {|&~A~B|} sk ( A ). However, the CPSA analysis is very precise, 
and indicates that only the responder's identity needs to be included inside the signature. 



3 Language 

We now consider the logical representation of our example authentication and confidentiality goals. 

Role Predicates. We need to be able to describe the different kinds of nodes that are present in a 
skeleton, namely the initiator's first and second nodes, and the responder's first and second nodes, each 
of which has a number of parameters. We must be able to express these parameters, because we know 
(e.g.) that whether the initiator's first node has B or C as its responder identity parameter makes all the 
difference. On the other hand, the form of the messages is defined in the protocol, and is thus irrelevant 
to describing what goals are achieved. Thus, for Blanchet's simple example protocol, we suggest four 
protocol-specific predicates: 

Initl(m, a,b,k) Respl(m, a,b,k) 
Init2(m, a,b,k, s) Resp2(m, a,b,k, s) 

Suppose that we are given a variable assignment a that associates values a(m), a (a), etc. to the variables 
m,a, etc. Then we read Initl(m, a,b,k) as asserting that cr(m) is a node, which is the first step of an 
initiator strand, and the initiator is a(a), its intended responder is cr(b), and it has created the key a(k) 
for this session. We read Init2(m, a,b,k, s) as asserting that a(m) is a node, which is the second step of 
an initiator strand, and the initiator is a(a), its intended responder is a(b), the session key is a(k), and 
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the intended secret is cr(s). Thus, if Init2(m, a,b,k, s), then we know that m is preceded by a node n 
such that Initl(n, a,b,k) is true under the same a. Analogous explanations hold for the responder role. 

These role predicates are similar to those used by Cervesato, Durgin et al. [3, 10] in multiset rewriting. 

We also need a role predicate Lsn(m, v), which says, under an assignment a, that a(m) is a listener 
node that receives that value cj(v). The language Jz?(n), where n is Blanchet's example protocol, 
contains these five role predicates. 

Shared Vocabulary. All languages Jzf(n) also contain some additional predicates. Preceq(m,n) ex- 
presses the causal partial ordering ^. Col(m,n) says that a(m) and a(n) are collinear, i.e. they lie on the 
same strand. Non(v) and Unq(v) express the assumptions that cj(v) € non and cj(v) € unique, resp. 

In Section 2, we also used the function symbols sk,pk, and inv to talk about the long term keys 
signature keys of principals, their long term public encryption keys, and the inverses of those keys. 

This is the full language Jz?(n) where IT is Blanchet's example protocol. As it happens, the language 
Jz? (IT), for the corrected version of the protocol, is identical. The roles are the same, each with the same 
number of nodes, and with the same parameters. Thus, nothing in the language needs to change. 

Apparently, for every goal G G Jz? (II), if G is achieved in Blanchet's example protocol IT, then G 
is also achieved in its correction IT. Moreover, additional formulas are achieved in IT. A satisfactory 
theory of protocol transformation should give ways to prove (or disprove) intuitions like this one. 

The Languages Jz? (II). For each protocol n, J??(Tl) is a language for talking about its executions. We 
use typewriter font x,m, etc. for syntactic items such as variables or predicates within the language. 

Suppose that n has r protocol-specific roles {pi, . • . ,p r }, where each role p, is of length |p,-|, and 
the listener role. We let {RPo.i, • • • ,RP r ipi} be a collection of 1 +L/|Pi'l predicate symbols. RPo.i is 
the listener role predicate, which we will write as Lsn(m,v), indicating that node m receives the value 
v. Each remaining predicate RP, 7 takes parameters (m, vi, . . . , v k ) where the j th node on role p,-, and its 
predecessors, have involved k parameters. 

We write fv(<&), bv(<I>) for the free and bound variables of any formula <I>, defined in the usual way. 
The empty disjunction V/e0 tyi is identical with false; a one-element disjunction or conjunction is iden- 
tical with its single disjunct or conjunct. 

Definition 3.1 1. Jif(TV) is the classical first order quantified language with vocabulary: 
Variables (unsorted) ranging over messages and nodes; 
Function symbols sk, pk, inv; 3 

Predicate symbols equality u = v, falsehood false (no arguments), and: 

• Non(v), and Unq(v); 

• Col(m,n) and Preceq(m,n); 

• One role predicate RPijfor each Pi € IT and j with 1 < j < |p, |. 

The predicate RP,y(m, vj, . . . , v k ) for the j node on pi has as arguments: a variable m 
for the node, and variables vifor each of the k parameters that have appeared in any of 
Pi's first j messages. 

2. A security claim is a conjunction of atomic formulas of^(H) such that two conditions hold: 

(a) Any two role predicate conjuncts have different variables as their first arguments n,n'. 

(b) If a conjunct is not a role predicate, then each variable or key term that appears as an 
argument to it also appears as argument to some role predicate RP;;(n,ti, . . . ,ti). 

3 We call terms built with these unary function symbols key terms. 
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3. A sentence Vjc. ((j) D 3y. xp) is a security goal if (I) the xs and ys are disjoint; (2) (j> is a security 
claim; and (3) y is a disjunction V; 0j of conjunctions 0, of atomic formulas. 

The conditions in Clauses 2a-2b on security claims (j> allow us to construct a single skeleton to 
characterize (j> (Thm. 5.2). Without Clause 2a, we would have to be rather careful in our choice of 
message algebras and protocols to ensure that there is a single "most general" role that applies when 
two roles can have common instances. The role predicate RP,-, in Clause 2b serves as an implicit sort 
declaration for the variables x appearing in it. The sorts of parameters within the role p, determines the 
set of values that may lead to true instances of this atomic formula. 

We have already illustrated three security goals earlier, in Section 2; or, more precisely, we have 
shown three formulas whose universal closures are security goals. Another relevant example is the 
"missing" confidentiality goal that a responder would have wanted, but was actually not achieved by IT 
but only by its correction IT. It is the universal closure of: 

Resp2(n 2 ,a,b,k, s) AUnq(k) ANon(sk(a)) A Non(inv(pk(a))) ALsn(m,s) D false. 

Axiomatizing Protocols. -£?(n) is specifically intended to limit expressiveness, and there is no way 
to axiomatize the behavior of protocols within it. However, the slightly larger language _Sf + (IT) appears 
sufficient to axiomatize protocol behaviors, and derive security goals. It adds to Jz?(n): 

Function symbols concat(vi, v 2 ) and enc(vi,v 2 ), representing the concatenation of two messages 
vi,V2 and the encryption of a message vi using a second message V2 as key; and 
msgAt(ni) returning the message transmitted or received on the node n\\ 

Predicate symbols Xmit(ni) and Rcv(ni), true if n\ is a transmission node or reception node, resp. 

A few inductively defined notions such as "message to is found only within the set of encryptions S in 
message t\" [8, extended version, Def. 6] must be introduced using these primitives. The property of a 
skeleton being realized can then be expressed as a closed sentence. With these notions, the reasoning 
encoded in CPS A could be earned out axiomatically, at least in theory, within Jz? + (TI). The important 
theorems would be the security goals, which lie within the sublanguage jSf (n). 

4 Skeletons, Homomorphisms, and Satisfaction 

Before we define the satisfaction relation A, a \= <p, we must define the skeletons that we have already 
worked with in Section 2. We start by summarizing our assumptions about the message algebra; more 
detail may be found in Appendix A. 

Message Algebra. Let 2lo be an algebra equipped with some operators and a set of homomorphisms 
r\ : 2to — > 2to- We call members of 2lo atoms. 

For the sake of definiteness, we will assume here that 2lo is the disjoint union of infinite sets of nonces, 
atomic keys, names, and texts. The operator sk(a) maps names to (atomic) signature keys, and K^ 1 maps 
an asymmetric atomic key to its inverse, and a symmetric atomic key to itself. Homomorphisms r\ are 
maps that respect sorts, and act homomorphically on sk(a) and K~ l . 

Let X is an infinite set disjoint from 2lo; its members — called indetenninates — act like unsorted 
variables. 21 is freely generated from 2lo UX by two operations: encryption {|?o|}fi an d tagged concate- 
nation tag ?o~?i, where the tags tag are drawn from some set TAG. For a distinguished tag nil, we write 
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nil fo~?i as ?o~£i with no tag. In {|?o|}ti . a non-atomic key t\ is a symmetric key. Members of 21 are called 
messages. 

A homomorphism a = : 21 — > 21 consists of a homomorphism v\ on atoms and a function 

X '■ X — ► 21. It is defined for all ? G 21 by the conditions: 

a(a) = n(a), ifaGSlo a({M}f, ) = {\a(to)\} a ( tl ) 

a(ac) ifjceX a(tagAAi) = tog a(?o)"a(^i) 

Thus, atoms serve as typed variables, replaceable only by other values of the same sort, while indetermi- 
nates x are untyped. Indeterminates x serve as blank slots, to be filled by any x{ x ) £ 21- Indeterminates 
and atoms are jointly parameters. 

This 21 has the most general unifier property, which we will rely on. That is, suppose that for v, w € 21, 
there exist a,j8 such that a(v) = j8(w). Then there are Oo,j3o, suc h that 0£q(v) = j8o(w), and whenever 
ct(v) = j6(w), then a and j8 are of the forms 70 oo and 70 jSo- 

Skeletons. A skeleton is a partially ordered set of nodes, together with assumptions non about uncom- 
promised long term keys and unique about freshly chosen values. We write s [ i for the / th node along s, 
using 1 -based indexing. 

A skeleton A consists of (possibly partially executed) role instances, i.e. a finite set of nodes, nodes(A), 
with two additional kinds of information: 

1. A partial ordering ^a on nodes(A); 

2. Sets unique A , non a of atomic values assumed uniquely originating and non-originating in A. 

nodes(A) and must respect the strand order, i.e. if n\ £ nodes(A) and no n\, then no € nodes(A) 
and no n\. If a G unique A , then a must originate at most once in nodes(A). If a 6 nonA, then a 
must originate nowhere in nodes(A), though a or aT x may be the key encrypting some ingredient of 
n G nodes(A). 

A is a preskeleton if it meets the conditions except that some values a £ unique A may originate more 
than once in nodes(A). If A is a preskeleton, and it is possible to extract a skeleton by identifying 
nodes and atoms, then there is a canonical, most general way to do so [8, extended version, Prop. 6]. 
The canonical skeleton extracted from A is called the hull of A. We write hulU for the homomorphism 
(Def. 4.1) that maps a preskeleton A to its hull. 

A skeleton A is a skeleton for a protocol IT if all of its strands are strands of IX 
A is realized if it can occur without additional activity of regular participants; i.e., for every reception 
node n, the adversary can construct msg(n) via the Dolev-Yao adversary actions, 4 using as inputs: 

1. the messages msg(m) where m -<a n and m is a transmission node; 

2. indeterminates x; and 

3. any atomic values a such that a (nonAUunique A ), or such that a G unique A but a originates 
nowhere in A. 

Definition 4.1 Let Ao, Ai be preskeletons, a a homomorphism on 21, and £ : nodesA — > nodesA,- H = 
[£, a] is a (skeleton) homomorphism if 

la. ForallnGAo, msg(£(n)) = Cf(msg(n)), with the same direction, either transmission or reception; 

lb. For all s, i, (fjj/GA, then there is an s' s.t. for all j < i, £(j J, j) = s' j j; 

4 The Dolev-Yao adversary actions are: concatenating messages and separating the pieces of a concatenation; encrypting a 
given plaintext using a given key; and decrypting a given ciphertext using the matching decryption key. 
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2. n ^ Ao m implies £(n) X Al £(m); 

3. a(non Ao ) C non Al ; 

4a. a(unique Ao ) C unique A[ ; 

4b. If a G unique Ao and a originates at n G nodes Ao , a (a) originates at € nodes Al . 

We write //: Ao h- ► Ai w/zen // w a homomorphism from Ao to Ai. VVTzerc a(a) = a (a)' for every a that 
is an ingredient or is used for encryption in dom(£), then = [£,«']; [£,05] zj equivalence 

class of pairs under this relation. 

The condition for [£,ce] = ot 7 ] implies that the action of a on atoms not mentioned in the Ao is 
irrelevant. We write H(n) for or //(a) for a (a), when // = ot]. Evidently, preskeletons and 
homomorphisms form a category, of which skeletons and homomorphisms are subcategory. 

In Section 2, we have already given examples of homomorphisms. Each of the shapes we have 
considered is a homomoiphic image of its starting point. Thus, for instance, we have homomorphisms 
Ao i — ► Ai and A3 1— > A4. A2 is dead in the sense that there is no realized B such that A2 1— > B. 

Our first CPS A run in Section 2 tells us that every homomorphism from Ao to a realized skeleton goes 
"by way of" Ai [8]. That is, if B is realized and H : A h-> B, then H = H y oH where H : A h-> Ai. 
Thus, any realized skeleton accessible from Ao has at least the structure contained in Ai , homomoiphisms 
being structure-preserving maps. 

In Figs. 2 and 4, the homomorphism simply adds nodes. I.e. £ is an embedding and a is the identity. 
However, in other homomorphisms, £ may be a bijection and a does the work, mapping distinct values 
to the same result. In other cases £ is non-injective, mapping two distinct strands in source to the same 
strand in the target. For instance, suppose that A is a preskeleton but not a skeleton, because some 
a € unique A originates on two strands. If the map hull A is well defined, then hull A must map both 
strands on which a originates to the same strand in the target skeleton. Hence, non-trivial hull A maps are 
examples of non-injective homomorphisms. 



Semantics for (IT). The semantics for J2?(n) are classical, with each structure a skeleton for the 
protocol IT. This requirement builds the permissible behaviors of n directly into the semantics without 
requiring an explicit axiomatization. 

An assignment a for A is a partial function from variables of Jz?(n) to 21 U nodes(IT). By convention, 
if a is undefined for any variable x in fv(*P), then A, a \j= *P. We write 0\ © 02 for the partial function 
that — for G\ and o 2 with disjoint domains — acts as either a, on the domain of that a,. 

Definition 4.2 Let Abe a skeleton for IT Extend any assignment a to key terms of 'Jzf(n) via the rules: 
<x(sk(t)) = sk(a(t)), a(inv(t)) = (a(t))- 1 . 

Satisfaction. A, o \= O is defined via the standard Tarski inductive clauses for the classical first order 
logical constants, and the base clauses: 

A,a|=u = v iff a(u) = a(v); 

A,a^Non(v) iff a(v) G non A ; 

A,a^Unq(v) iff a(v) G unique A ; 

A, a |= Col(m,n) iff a(m),a(n) G nodes(A), and either a(m) =>* a(n) or a(n) a(m); 

A, a |= Preceq(m,n) iff a(m) ^ A a(n); 

and, for each role pi G IT and index j on pt, the predicate RP;/(m,vi, . . . , v k ) obeys the clause 

A, a |= RP;j(m, vi, . . . ,v k ) iff a(m) G nodes(A), and 
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a(m) is an instance of the j th node on role pi, 
with the parameters <r(vi), . . . , d(v k ). 

We write A \= <£> when A, a \= for all o, e.g. when <£> is a sentence satisfied by A. 

In protocols where there are two different roles p,, p/, that differ only after their first j nodes — typically, 
because they represent different choices at a branch point after the j th node [16, 12] — the two predicates 
RPij and RP/,y are equivalent, as Def. A.l makes precise. 

Lemma 4.3 Suppose (j> is an atomic formula, and H : A i— > B. If A, o |= 0, then M,Hoa \= (j). 

5 Characteristic Skeletons 

We write a |"fv(<I>) for the partial function a restricted in domain to the free variables of <£. 
Definition 5.1 A pair A, a* is characteristic for a formula <J> iff A, a* |= <J> and, for all B, a, 

B, a |= <J> implies 3!# . H : A h-> B and ffffv($)=flo(y t . (2) 

If there is such a a*, A z's a characteristic skeleton for <I>. 

Being a homomorphic image of this A characterizes satisfiability of <I>. A has minimal structure needed 
to make <I> true, in the sense that <I> is satisfiable in any A' just in case A' results from A by a structure- 
preserving map (a homomorphism). From the form of the definition, A, a* is universal among interpre- 
tations satisfying <I>, and such a A, a* will be unique to within isomorphism. 

Constructing a Characteristic Skeleton. In order to construct a characteristic skeleton cs(0) for a 
security claim = Ai<i<£^> we treat tne successive atomic formulas in turn. As we do so, we 
maintain two data structures. One is an assignment a which summarizes what atomic value or node we 
have associated to each variable we have seen so far. Initially a is the empty function. The other is 
the characteristic skeleton cs(A,i<k/_i 0,) constructed from the part of the formula seen so far. This is 
initially the empty skeleton. If (j> is unsatisfiable, then instead of returning cs(0), a we must fail. 

We assume that the conjuncts of (j> have been reordered if necessary so that atomic formulas con- 
taining role predicates precede atomic formulas of the other forms. For convenience, we also eliminate 
equations by replacing the left hand side by the right hand side throughout the remainder of the formula. 

Base Case. If t = 0, so that <p = Akko Qi = true > then let cs((j>) be the empty skeleton, and let Go be 
the empty (nowhere defined) substitution. 

Recursive Step. Let = Akw+i 0t> an d let A^ = cs(Ak,<^ 0i) t> e a characteristic skeleton for all but 
the last conjunct, relative to Of. We take cases on the form of the last conjunct, 0^+i: 

RPy(m,ti, . . . ,tk): By clause 2a in Defn. 3.1, the variable m is not in the domain of a%. If 
variables appearing in ti, . . . ,t k , are not in the domain of Of, select atoms of appropriate 
sorts, not yet appearing in Ac, letting a' be the result of extending G# with these choices. 
Let n\ =3- . . . nj be the first j nodes of the role p,-, instantiated with the values a'(ti), . . . , 
a'(t k ). If any n% (with 1 < X < j) originates any value a £ non CT/ , then we must fail. 
Otherwise, let the preskeleton A' be the result of adding n\ nj to Ai, and let A^ + i 

be its hull. If the hull is undefined, fail. Otherwise, define Ot + \ = (IiuIIa' ° cr') © (m <— > nf). 
Return A^+i,<T&fi. 
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Non(t): By clause 2b in Defn. 3.1, Oe(t) = v is well denned. If the result of adding v to non^ 
is a skeleton, then this skeleton is A^+i. Otherwise, we fail. Let o^+i = G(. 

Unq(t): By clause 2b in Defn. 3.1, Cfy(t) = v is well defined. If the result of adding v to 
unique Af is apreskeleton A' whose hull is a well-defined skeleton, then this skeleton is A^+i. 
Otherwise, we fail. Let Oi + \ = h u 1 1 a' °Cfy. 

Preceq(m,n): By clause 2b in Defn. 3.1, G((m) and a<?(n) are well denned. Let Ag+\ be A^ 
with the ordering enriched so that 0((m) ^a (+1 Of ( n )> failing if the latter introduces a cycle 
because in fact af(n) ^,& t Oi(m). Let a^+i = Gg. 

Col(m,n): By clause 2b in Defn. 3.1, Oi(m) = s [ k and G((n) = s' J, k' are well defined. If 
one strand, e.g. s, is at least as long as the other, we would like to map the successive nodes 
of s' to nodes of s. However, their messages and directions in A^> may not be the same. If 
the directions (transmit vs. receive) conflict, then we must fail. Otherwise, if the successive 
messages are unequal, we may succeed by unifying them. 

Let /3 be the most general unifier such that, for each i where both s [ i and s' J, i are defined, 

/3(msg(.|/))=^(msg(, / |/)). 

Let A' be the preskeleton resulting from applying /3 throughout A, failing if this is impossible 
because any value in non^/ would originate somewhere. Let A" be the preskeleton resulting 
from omitting P(s'), and identifying its nodes with those of fi{s), failing if this identification 
introduces any cycle into the ordering. If A" does not have a well defined hull, then fail. 
Otherwise, let that hull be A&f i. Let a^+i = hulU" ° j3 o <j£. 

Theorem 5.2 If a security claim </> = Al<K^0i w unsatisfiable, the procedure above fails. If § is satisfi- 
able, then the procedure returns a pair A, G that is characteristic for 0. 

Proof: We follow the inductive definition of cs(0). 

Base Case. Let I = 0, and = true. Then cs(true) is the empty skeleton Ao- In fact, every B satisfies 
true via the empty substitution, and there exists exactly one homomorphism H : Aq i— > B. 

Recursive Step. Let = Akkm-i fyu an d let = Ai</<i fyi be its predecessor, with all but the last 
conjunct of 0. Let Ac = cs(0~) be a characteristic skeleton for all but the last conjunct, relative to 
Gg. In particular, is satisfiable. If is unsatisfiable, then we need to check we will fail at this 
step. If this step succeeds, then we need to show that A^ + i, Cty+i are characteristic for cs(0). 

Suppose that, for any B, X, we have M,x\=(j>. Then B also satisfies 0~, so by the induction hypoth- 
esis, there is a unique homomorphism H( = [Q,ag] : A^ i— » B to within isomorphism. Moreover, 
T ffv(0~) = at o Og. We take cases on the form of the last conjunct, In each case, Hg can be 
adjusted to form a unique homomorphism Hg + \ : A[ + \ \— > B, to within isomorphism. 
We use the same notation as in the corresponding cases of the definition of cs. 

RPy(m,ti, . . . ,t k ): This is not jointly satisfiable with 0~ iff the new nodes n\ =>• . . . =/-n; originate 
a value a G non^ f , or if the hull is not defined. In these cases, cs fails. 
B,T (= (j>, and, since RP,y(m, ti, . . . , t k ) is its last conjunct B, x |= RP,y(m,ti, . . . ,t k ). 
Thus, r(m) is an instance of p,- J, j with parameters r(ti), . . . , T(t k ). Naming T(m) = n'j, we 
have nj =>•... =^ n'j, and by the construction of cs(0), we have n\ =>■ . . . nj in cs(0). Thus, 
we can extend the node map Q to Q + i by mapping each to n\. This is the only extension 
compatible with X. 
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Moreover, for each new variable v appearing in t l5 . . . ,t k , we extend Cfy by sending C7f + i(v) 
to t(v). By the construction of Gc+i (v), this is a new value, not equal to any value mentioned 
in A^. So 0£+i is a partial function. Moreover, there is no other way to extend a<? compatible 
with T. The resulting Cfy+i, together with Q+i, forms a homomorphism A^ i— > B, and is 
uniquely determined. 

Non(t): If not jointly satisfiable with 0~, then G( + i(t) originates in Af, and cs fails. 
Since B, % \= <^+i, T(t) G noriB, so Hi is also a homomorphism from A^ + i to B. 

Unq(t): The universality of the IiuIIa' homomorphism among homomorphisms to realized skele- 
tons ensures that Hp factors through h u I Ia' - 

Preceq(m,n): Since B, T |= <j>£+i, T(m) ^( n )> so H( is also a homomorphism from A^ + i to B. 

Col(m,n): In the non-failing case, Q maps G((m) and CTf(n) to nodes on the same strand. Thus, 
Hf factors through the homomorphism from A( to Af + i. 

□ 

6 Security Goals 

We turn now to our second result, which puts the pieces together. 

Theorem 6.1 Suppose that G = Vx.((j) D By . y) is a security goal in jSf(Il) where (j) is satisfiable. 
IT achieves G iff, whenever H : cs(0) i— > B is a shape, there is a o such that B, a \= 

Proof: 1. Suppose that IT achieves G. By Thm. 5.2, cs(0) is well-defined. By Lemma 4.3, H : cs(0) i— > 
B implies that B satisfies . If B is a shape, it is realized. Since IT achieves G, B satisfies y. 

2. Suppose that IT does not achieves G, so that there is a realized C which satisfies -<G. Let \j/ = 
Vi<Kffr Using the Tarski satisfaction clauses and the disjointness of x,y, we obtain a afc such that 

C, a c |=0 AAi<k^-4- 

Since C, ac |= 0, there is a J such that J: cs(0) i— > C, and ac tM0) =J°o*- Using Prop. 8 of the 
extended version of [8], J = K oH where H : cs(0) h- > B is a shape. 

If this B satisfies any </>,-, then so would C by Lemma 4.3. □ 

Conclusion. We have explained a way to ensure that a protocol achieves a security goal G. We use 
the antecedent to choose a skeleton, namely cs(0). We then obtain the shapes accessible from cs(0), 
e.g. by using CPSA. If any shape does not satisfy any disjunct of the conclusion of G, then we have a 
counterexample. If no counterexample is found, then G is achieved. 

In future work, we will apply this method to protocol transformation. It suggests a criterion to ensure 
that the result IT2 of a protocol transformation preserves all goals achieved by its source protocol ITi. 

Acknowledgments. I am grateful to my colleagues, Leonard Monk, John Ramsdell, and Javier Thayer, 
for many relevant discussions. Marco Carbone gave valuable comments. John Ramsdell is the author of 
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A Messages and Protocols 

Messages are abstract syntax trees in the usual way: 

1. Let I and r be the partial functions such that for t = \} t2 or t = tag t\ *ti, lit) = t\ and r(t) = ti\ 
and for t € 2lo, t and r are undefined. 

2. A path p is a sequence in {£, r}* . We regard p as a partial function, where () = Id and cons(/, p) = 
pof. When the rhs is defined, we have: 1. ()(?) = t; 2. cons(£, p)(t) = p(£(t))\ and 3. 
cons(r, p) (t) = p(r(t)). 

3. p traverses a key edge in t if p\{t) is an encryption, where p = p\~ (f)^ p2- 

4. to is an ingredient of t, written to C t, if to = p(t) for some p that does not traverse a key edge in t. 

5. to appears in t, written to <C t, if to = p(t) for some p. 

A message to originates at a node n\ if (1) n\ is a transmission node; (2) fo C msg(?ii); and (3) whenever 
no n u t % msg(« )- 

In the tree model of messages, to apply a homomorphism, we walk through, copying the tree, but 
inserting a (a) every time an atom a is encountered, and inserting a(x) every time that an indeterminate 
x is encountered. 

Protocols. A protocol IT is a finite set of strands which includes Lsn[&], representing the roles of the 
protocol. 

A principal executing a role such as the initiator's role in Fig. 1 may be partway through its run; 
for instance, it may have executed the first transmission node without "yet" having executed its second 
event, the reception node. 

Definition A.l Node n is a role node ofYlifn lies on some p € IT. 

Let Hj be a role node of Tl of the form n\ =>■ . . . =/- nj =/- Node mj is an instance ofnj if, for some 

homomorphism a, the strand ofrnj, up to rnj, takes the form: tt(n\) . . . OL{nj) = mj. 

That is, messages and their directions — transmission or reception — must agree up to node j. However, 
any remainders of the two strands beyond node j are unconstrained. They need not be compatible. When 
a protocol allows a principals to decide between different behaviors after step j, based on the message 
contents of their run, then this definition represents branching [12, 16]. At step j, one doesn't yet know 
which branch will be taken. 



